Skip to content

Permit outbound management#

As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:

  • Privileged access workstations (PAWs)
  • Bastion hosts
  • Jump boxes

As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.

Abstract

This topic provides an example you can use to configure PSRule to ignore special case NSGs.

Create a suppression group#

Within the .ps-rule sub-directory create a file called Org.Azure.Suppressions.Rule.yaml. If the .ps-rule sub-directory does not exist, create it in the root of your repository.

Use the following snippet to populate the suppression group:

---
# Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion.
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: Org.Azure.PermitOutboundManagement
spec:
  rule:
  - PSRule.Rules.Azure\Azure.NSG.LateralTraversal
  if:
    allOf:
    - type: '.'
      in:
      - Microsoft.Network/networkSecurityGroups

    # Suppress NSGs with bastion or management in thier name
    - name: '.'
      contains:
      - bastion
      - management

Some key points to call out with the suppression group snippet include:

  • The name of the suppression group is Org.Azure.PermitOutboundManagement. Each resource name must be unique.
  • The suppression group applies to:
    • The rule PSRule.Rules.Azure\Azure.NSG.LateralTraversal.
    • Run against NSGs with the type Microsoft.Network/networkSecurityGroups.
    • When the name of the NSG contains bastion or management. The suppression group uses expressions to determine when a resource is suppressed. Update this condition to match your environment. For example, the following NSGs would be suppressed by this suppression group:
      • nsg-bastion-prod-eus-001
      • nsg-hub-management-prod-001
  • The synopsis comment above the suppression group is included in output as the explaination for the suppression.

Tip

Expressions can be combined within a suppression group using allOf or anyOf operators.

Comments